Apple Vishing Scam Uncovered

A cybersecurity blog has reported that a new vishing scam in which the scammer pretends to be an employee of Apple Inc. has been uncovered.

Vishing is a less common form of phishing attack. The scammer uses voice calls to convince their victim that they are an employee of a legitimate organisation in an attempt to fool them into revealing sensitive information, such as credit card numbers or login credentials. The scammer will then use this information for nefarious purposes, often for personal financial gain. The effects of such fraud can often be devastating to the victims.

The extent of this scam was by Brian Krebs, an American journalist and author of the daily blog KrebsOnSecurity. Jody Westby, CEO of Global Cyber Risk LLC, contacted him after receiving one of the scam calls. The automated call on her phone included a fake warning that multiple servers containing Apple user IDs had been compromised and her data was at risk, and she was requested to urgently call a given number.

The caller ID showed Apple’s real address, their real customer support number, and the apple.com domain name. Suspicious of the call, Westby then contacted Apple through a number found on their website, who confirmed that no agent had been told to contact her regarding compromised user ID. At this point, she recognised that the earlier call had been a scam, and reported the issue to KrebsOnSecurity. It is important to note that when she hung up from the call with the real Apple agent, it was placed in the same category has the fake calls on her iPhone, as if they had come from the same number. In other words, the iPhone was not able to distinguish between the real call and the fake one.

Krebs then called the number she had provided, and reached an automated answering system. He was then redirected to an “Apple” customer service agent with an Indian accent. After being placed on hold, the call was disconnected. Krebs assumed that the goal of the scam was the same as most phishing attempts; to obtain sensitive information to use for malicious purposes.

Vishing is becoming incredibly common in tech support scams which claim the user has a malware infection that requires the downloading of (fake) antivirus scanning software. That software is often malware or spyware, or the user is required to pay for assistance in removing the malware.

This iPhone vishing scam differs from past scams as the call appears to have come from Apple Inc., and is displayed as such on the iPhone, along with genuine contact information (address, website, and phone number). It is an incredibly sophisticated scam, capable of not only fooling iPhone users, but the iPhone itself.

Well-crafted attacks such as this one require vigilance. If you get a phone call requiring you to take urgent action on an issue, don’t hand over any personal information until you can verify that the call is legitimate. Tell them that you will call them back on a phone number from the legitimate organisation’s website. Scams are becoming increasingly complicated, and it is generally advised not to accept calls from any unknown number, as Krebs suggests on his own website.

Krebs contacted Apple for comment, but has of yet to receive a response.